Translation of Press Release of the German Federal Data Protection Commissioner 
regarding Amendments to the Federal Data Protection Act

 by Christopher Kuner

German Original Available at

http://www.bfd.bund.de/Presse/pm20010511.html

Comment by Christopher Kuner: On Friday, May 11, the upper chamber of the German Parliament (Bundesrat, made up of representatives of the federal states) voted to amend the German Federal Data Protection Act (BDSG).  The law entered into force on May 23.  The following press release gives an overview of major changes brought about by the new Act. Note that processing already being undertaken must be brought into compliance with the new Act within three years (for processing within the EU) or five years (for processing outside the EU to which the Act applies).

Amendments to Federal Data Protection Act now in Force

The new Federal Data Protection Act (BGBl. I of May 22, 2001, p. 904) entered into force on May 23, 2001.

The Federal Data Protection Commissioner, Dr. Joachim Jacob, made the following statement:

With these amendments of the Federal Data Protection Act (BDSG) the provisions of the EU Data Protection Directive 95/46/EC of October 1995 have finally been implemented into national law.  The Act contains a number of changes, in particular with regard to business activities, of which only the most important can be discussed here.

Thus, there have been numerous expansions in the general part of the Act, which apply both for the public and the non-public sector.  The provisions of the BDSG will also apply in the non-public sector for all automatic processing of personal data; a relation to a data file will then only be necessary in cases of manual processing (§ 1 para. 2 no. 3 BDSG).  The Act also contains the following changes:

• Fixing of the principle of data avoidance and data minimization (§ 3a BDSG);
  
• Provisions on the transfer of personal data abroad, also for the non-public sector (§§ 4b and 4c BDSG, by deletion of the previous § 17 BDSG);
  
• Provisions on the duty of notification and pre-control, §§ 4d and 4e BDSG (with deletion of the previous § 32 BDSG); the duty of notification does not apply if a data protection officer is named, which significantly strengthens the position of data protection officers.  The duties of data protection officers will also include so-called pre-control of processing which contains particular risks for personality rights;
  
• Uniform provisions for data protection officers, which are now also mandated for the public sector, §§ 4f and 4g BDSG (with deletion of the previous §§ 36 and 37 BDSG);
  
• Restrictive provisions for automated decision-making, § 6a BDSG;
  
• Legal conditions for video surveillance (also by private persons) of publicly-accessible premises, § 6 BDSG.  This will only be permitted under particular circumstances under conditions set forth in the Act, and must be made discernible through special measures and must be weighed against the protectable interests of the data subject.  In addition, the Act contains duties of purpose limitation, information, and deletion;
  
• Legal conditions for the issuance and the use of mobile personal storage and processing media (smart cards), § 6c BDSG, which should lead to more transparency and legal security for data subjects;
  
• Provisions on data protection audits, § 9a BDSG;
  
• Improvements of rights of information, notification, and objection;
  
• Strengthening of the data protection authorities, which will also be able to enforce the law without a particular complaint having been made, § 38 para. 1 BDSG;
  
• Expansion of criminal and monetary penalties, which will also cover substantive violations of the BDSG, §§ 43 and 44 BDSG.

Of particular importance are changes concerning data processing by the private sector, which will considerably increase the protection provided to citizens affected:

• Strict application of the principle of purpose limitation, both for processing for one’s own purposes and for professional data processors;
  
• Application of the principle that processing must be limited to a specific purpose already at the time personal data are collected;
  
• A duty of notification to data subjects concerning their rights of objection and to the data controller in the case of data processing for purposes of advertising, marketing or market research;
  
• Particular provisions concerning the collection, processing, and use of sensitive data (information on racial and ethnic origin, political opinion, religious or philosophical views, membership of labor unions, health, or sex life);
  
• Expanded rights of data subjects regarding listing in address, telephone, sectoral or similar directories.

Data protection in Germany in the interest of all citizens is significantly increased by the entry into force of the new BDSG.